Visual Studio Code-delivered JavaScript backdoor
Malware Activity
Summary
Hide ▲
Show ▼
North Korean threat actors are using malicious Next.js repositories in a fake job-recruitment campaign to trigger remote code execution (RCE) on developer systems and establish persistent command-and-control (C2). Microsoft says the repositories are disguised as technical assessment materials and use multiple execution paths, including Visual Studio Code workspace automation and Node.js-based loader behavior, to fetch and run attacker-controlled JavaScript. The activity is intended to reach source code, environment secrets, and build or cloud resources on infected machines.
Related Happenings
Codfish/semantic-release-action hit by network compromise
Incident
H score21
First: 26.06.2026 14:05
Last: 26.06.2026 14:05
Sources 1
About this happening:
The **codfish/semantic-release-action** GitHub Action was hit by a **malicious commit force-push** and **tag redirection** that caused trusted workflows to run attacker code. The...
Codfish/semantic-release-action hit by network compromise
IncidentAbout this happening: The **codfish/semantic-release-action** GitHub Action was hit by a **malicious commit force-push** and **tag redirection** that caused trusted workflows to run attacker code. The...
Microsoft AutoGen Studio AutoJack MCP WebSocket command execution security flaw
Vulnerability
H score33
First: 22.06.2026 20:28
Last: 22.06.2026 20:28
Sources 1
About this happening:
Microsoft’s **AutoJack** chain exposed **AutoGen Studio** to **arbitrary command execution** for developers building from the main GitHub branch before the hardening commit.
Microsoft AutoGen Studio AutoJack MCP WebSocket command execution security flaw
VulnerabilityAbout this happening: Microsoft’s **AutoJack** chain exposed **AutoGen Studio** to **arbitrary command execution** for developers building from the main GitHub branch before the hardening commit.
Contagious Interview UNK_DeadDrop GitHub phishing campaign
Campaign
H score37
First: 15.06.2026 22:32
Last: 15.06.2026 22:32
Sources 1
About this happening:
The **Contagious Interview** cluster is running the **UNK_DeadDrop** phishing campaign to lure developers with **recruitment** and **code review** themes, reaching **nearly 100 or...
Contagious Interview UNK_DeadDrop GitHub phishing campaign
CampaignAbout this happening: The **Contagious Interview** cluster is running the **UNK_DeadDrop** phishing campaign to lure developers with **recruitment** and **code review** themes, reaching **nearly 100 or...
UNK_DeadDrop developer phishing campaign using fake job and code-review lures
Campaign
H score30
First: 08.06.2026 18:00
Last: 08.06.2026 18:00
Sources 1
About this happening:
A **UNK_DeadDrop** phishing campaign sent **more than 250 emails** to software developers at **almost 100 organizations**, using fake job and code-review lures to steal **cryptocu...
UNK_DeadDrop developer phishing campaign using fake job and code-review lures
CampaignAbout this happening: A **UNK_DeadDrop** phishing campaign sent **more than 250 emails** to software developers at **almost 100 organizations**, using fake job and code-review lures to steal **cryptocu...
Visual Studio Code VS Code token-theft zero-day security flaw
Vulnerability
H score44
First: 03.06.2026 09:50
Last: 03.06.2026 09:50
Sources 1
About this happening:
A **Visual Studio Code (VS Code) zero-day** lets attackers steal **GitHub OAuth tokens** by abusing the editor's **sandboxed webview message-passing system**. The flaw is especial...
Visual Studio Code VS Code token-theft zero-day security flaw
VulnerabilityAbout this happening: A **Visual Studio Code (VS Code) zero-day** lets attackers steal **GitHub OAuth tokens** by abusing the editor's **sandboxed webview message-passing system**. The flaw is especial...
Latest development: 03.06.2026 15:58
Microsoft has acknowledged a Visual Studio Code vulnerability that can let an attacker use a crafted link and malicious webview message-passing to steal a victim's GitHub OAuth token via GitHub.dev, and said it is working on a fix; Microsoft also said the issue does not affect VS Code Desktop.
Timeline
-
22.01.2026 00:00 3 articles · 5mo ago
Contagious Interview adds VS Code backdoor delivery
Initial DisclosureJamf Threat Labs disclosed that North Korean threat actors behind the Contagious Interview campaign are using a new Visual Studio Code delivery path that lures software developers to open malicious GitHub or GitLab repositories, prompts them to trust the repository author, and then executes a malicious configuration file that can run arbitrary commands and drop a previously unseen JavaScript backdoor via Node.js on macOS systems.
Show sources
- 'Contagious Interview' Attack Now Delivers Backdoor Via VS Code — www.darkreading.com — 22.01.2026 00:00
- 'Contagious Interview' Attack Now Delivers Backdoor Via VS Code — www.darkreading.com — 22.01.2026 00:00
- Malicious Next.js Repos Target Developers Via Fake Job Interviews — www.darkreading.com — 25.02.2026 18:42